CVE-2024-45770: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability was found in Performance Co-Pilot (PCP) identified as CVE-2024-45770. The vulnerability affects the pmpost tool, which is used to log messages in the system. This flaw can only be exploited if an attacker has access to a compromised PCP system account. Under certain conditions, it runs with high-level privileges (NVD, Red Hat).

The vulnerability exists in the pmpost utility which is used to append messages to the PCP notice board. When pmpost runs as root from within the pmcd startup script, it writes messages to /var/log/pcp/NOTICES. The directory /var/log/pcp belongs to pcp:pcp. The file is opened without the ONOFOLLOW flag, making it susceptible to symlink attacks. The vulnerability has a CVSS v3.1 Base Score of 4.4 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N ([Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=2310451)).

This vulnerability could allow an attacker with access to a compromised PCP system account to coerce pmpost into creating new files in arbitrary locations or corrupting existing files in the system. Additionally, if the NOTICES file is newly created and pmpost runs as root, the fchown() operation allows passing ownership of arbitrary newly created files to pcp:pcp (Red Hat Bugzilla).

Red Hat has released security updates to address this vulnerability across multiple versions of Red Hat Enterprise Linux. Updates are available through various security advisories including RHSA-2024:6837, RHSA-2024:6840, RHSA-2024:6842, RHSA-2024:6843, RHSA-2024:6844, RHSA-2024:6846, RHSA-2024:6847, RHSA-2024:6848, and RHSA-2024:9452 (Red Hat Errata).